Get exclusive money‑saving offers and guides

The Sony PlayStation Hack [Infographic]

Information verified correct on December 10th, 2016

Are your credit card details safe?

Gamers were left puzzled on April 20 when the PlayStation Network went down, cutting off access to the store and a host of other services, including the media portal Qriocity. At almost two weeks and counting, the outage is the longest in the network's four-and-a-half-year history. But as it turns out, the threat to players is graver than an interruption to their spring-break gaming: they'd just been subject to one of the greatest security breaches in recent Internet memory.

The day after the shutdown, Sony acknowledged the issue, saying they were investigating the cause of the problem and that restoration may take a day or two. The reason was only alluded to not explicitly announced two days later, when officials admitted the network's security had been breached. The "external intrusion," as they called it, occurred sometime between April 17 and 19.

Little happened in the next few days, except for a few hasty announcements. On April 23, Sony apologised again and said they were rebuilding the system and strengthening its network infrastructure; two days later, Patrick Seybold, Senior Director of Corporate Communications and Social Media, blogged that he didn't have much in the way of updates just that the process was "time-intensive." No mention was made of the intrusion.

Like this infographic? You can embed it on your blog or website!

Embed this infographic in your website by copying and pasting the code below into your source code

Sony finally confirmed the worst on April 26, nearly a week after the shutdown. After reiterating its previous statements, it admitted, via its Verified Corporate Twitter feed, that the intrusion had compromised users' personal information, including credit card data. Members were promptly advised to monitor their accounts for suspicious activity and have their credit cards blocked for good measure.

On May 2, the company admitted they'd got the numbers wrong about 25 million more users were affected than previously thought, according to a Reuters report. A second attack also resulted in the theft of over 10,000 direct debit records from all over Europe, over 12,000 credit and debit card numbers from non-U.S. users, and an outdated database dating back to 2007, forcing Sony to take down the Sony Online Entertainment service.

Sony on the spot

Sony has understandably taken a beating from the incident. One could argue that their response was timely; they did turn off the network and its services as soon as the problem was detected. In an email to users on April 28, published by Gamers Hub, they detailed the steps they were taking to protect consumers. They included, among other things, hiring a third-party security firm to carry out a thorough investigation and rebuilding the system to "enhance security and strengthen [their] network infrastructure."

The main question is: why did it take them so long to own up? If they were so quick to act on it, why did they wait nine days to tell users their credit card information had been stolen?

Seybold answered some of the questions on the U.S. PlayStation blog. According to him, they learned of the intrusion and of the data theft at different times: they identified the former on the 19th and promptly shut services down, and had to conduct forensic analysis over several days to find out its scope. About a week later, their experts reported that credit card information had been stolen, after which they made the public announcement.

Gamasutra, a gaming blog, is one of many parties that aren't buying it. Editor Chris Morris believes Sony has long had problems with public communication. In an article about the alleged discontinuation of the PSP Go which also mentions the hack, he compares Sony to "an ostrich with its head in the sand," avoiding questions with motherhood statements and providing answers that are ambiguous.

Users added that if the breach were serious enough to require a complete shutdown on the 20th, Sony should have considered the possibility of data theft and alerted users right away, according to a report by UK website PC Pro. This would have allowed them to take preventive measures immediately, instead of leaving them vulnerable for six whole days.

As it happens, the first acknowledgment of the incident made no reference to a security breach, saying instead that the system was "undergoing maintenance." The first clue that the network had been hacked didn't come out until two days later, and for many, that's two days too many. In a letter to Sony representatives, Connecticut Senator Richard Blumenthal said it was troubling that they held back the details of the attack for so long.

Another question worth asking is how it happened. Unlike the delayed announcement issue, this one is clearly Sony's fault, as most experts agree. Carole Thierault of Sophos, a security software developer, says the whole point of data security is to protect your network from external attacks those perpetrated by parties outside the company and that's exactly what Sony allowed to happen. The fact that some of the data (luckily, not the credit card numbers) were unencrypted also shows lack of vigilance on Sony's part, according to Benjamin Cohen of Channel 4 News Technology.

Conspiracy theories

The question of who perpetrated the breach was nowhere near as significant, but it has generated some buzz of its own. To date, no one knows although conspiracy theories have turned up to no one's surprise. Initial speculations pointed to Anonymous, a group of online vigilantes who had previously slammed Sony for taking legal action against George Hotz, a 21-year-old who had cracked the PlayStation's software so that it could run unauthorised programs. Many think that the breach was Anonymous's way of teaching Sony a lesson.

In online forums, gamers are putting forward their own theories. Certain members on Gameslurp.com think that Sony is using the Anonymous excuse to its advantage, covering up the fact that the breach was in fact the result of its own shortcomings. After all, they say, it's easier than owning up to their fault, and it channels the hate mostly of those looking forward to some gaming over the Easter break away from them and towards Anonymous.

Sony has denied that the "hacktivists" had anything to do with the attack, although at the time of the May 1st interview they haven't come up with an alternative. In a press conference in Tokyo, as reported by PC World, Games Division CEO Kaz Hirai admitted that while they had been attacked by Anonymous a few weeks before, they found no link between the group and the breach in question. Anonymous themselves posted a blog denying any involvement, although they didn't rule out the fact that some of their members may have acted individually.

The bigger picture

In terms of users affected, the Sony PlayStation breach far outpaces the 2007 attack on the department store chain TJX, where some 45 million accounts were compromised. Canada's CBC News ranks it one of the top five security breaches* of all time. Investigations have been conducted, accusations fired, lawsuits filed. But the important questions why and how it happened, what users should do, whether it could have been prevented and how remain unanswered. What do these events mean for Sony, its users, and the business of online security?

No clear reason has been given for the breach and how it happened. And if Sony takes a cue from other who have faced similar situations, it will only speak if pressured in court. That day may come soon enough: the UK's Information Commissioner's Office, Canada's Privacy Commissioner Jennifer Stoddart, and Senator Blumenthal have all announced intentions to question the company and conduct investigations. U.S. Representatives Mary Bono Mack and G.K. Butterfield have sent a letter to Sony demanding information on the breach's discovery and how it plans to deal with the crisis.

While we're waiting for answers, speculations abound. The Daily Telegraph highlights the fact that any system linked to the Web is prone to data theft. And with a 77-million-strong customer base and just as much credit card information up for grabs, the PlayStation Network was practically winking and waving at hackers.

Even if credit card data hadn't been stolen, password files were. And even if changing your password were all it took to patch things up, it brings to light another issue: the encryption of user data. Experts have been urging companies to do this for years, according to the Telegraph. But Sony admitted in one of its many statements that the stolen passwords were unencrypted. That's a whole new bag of questions and accusations right there.

The incident is also a major blow to cloud computing, the practice of storing and retrieving data from a central location instead of individual computers. The Sony experience, dubbed IT's "Deepwater Horizon moment" in a Eurogamer article, sheds light on the weaknesses of the system, both to users and providers. Given that many companies are just about to jump on the trend, this fiasco may have come at just the right time.

What users can do

1. Keep a look out for phishing attempts in the form of e-mail scams

In its April 28 message, Sony advised PlayStation Network users to watch out for phone, mail, and e-mail scams, particularly those that ask for personal information. They maintained that Sony would never ask for any identity information, including credit card and social security numbers and reminded users never to provide them to any third party. They also urged users to change their username and password as soon as the PlayStation Network and Qriocity services were back on, and do the same for any accounts (even unrelated ones) where they use the same username and password.

2. Keep a close eye on your credit card statement

Sony also encouraged users to check their account statements and credit reports for any unauthorised transactions. They provided contact information for Experian, TransUnion, and Equifax, the three major credit bureaus in the U.S., and said that U.S. residents can have one copy of the report for free every year. As an added measure, users can have a "fraud alert" status put on their file to watch out for suspicious activity, Sony said.

In an interview with Channel 4, Trend Micro's security research director Rik Ferguson agrees with Sony's advice, saying users should keep a close watch on their transactions. Ferguson added that e-mail passwords should be of particular concern, as they can unlock all sorts of other information linked to the e-mail address. It's like a skeleton key to all your other accounts, he said. Carole Thierault of Sophos says about 40% of internet users use the same password for every account.

3. Consider cancelling your credit card, or having a new credit card number re-issued to you

Action Fraud, the largest fraud reporting center in the UK, reminds users that keeping an eye on their account activity is their standard obligation, with or without the threat of fraud. Events like the Sony PlayStation hack merely serve as a reminder to be more vigilant. Others suggest taking it a step further and cancelling the card altogether.

4. Change your "secret answer" information for retrieving passwords

Graham Cluley, a developer at Sophos, highlights another piece of information that may have been stolen: secret answers for password retrieval. If hackers have this information, they can easily retrieve your new password after you've changed it. If your credit card issuer has the same feature, it's all the more reason to change. Play it extra safe and don't set a question that's traceable, such as your mother's maiden name or the last four digits of your phone number. Choose something that they won't find online, such as your first pet's name.

Lessons learned

The Sony incident will go down in history as one of the gaming world's biggest fiascoes. That much we're sure of. On the bright side, if we can call it that, online consumers and providers can learn a few new lessons, and perhaps relearn forgotten ones, in the world of security and public trust. eWeek, an IT business magazine, sums it up in ten points:

Big names can't always be trusted - Sony was a pioneer in technology, but it proved just as vulnerable to attacks as your average company.

Not all information should be shared - Too many companies, Sony included, ask for information they don't really need. Optional fields are left blank.

Sometimes it's out of your hands - Sony's breach proves that even the most vigilant users can be harmed through no fault of their own.

There's no comfort zone - It's when you fall into a sense of security ("Nothing's happened so far, anyway") that you're most vulnerable to data theft.

Sometimes, offline is better - The offline world has its share of security issues, but on the whole they are more manageable. If there's an offline alternative to sharing information, it may be worth a try.

Vigilance is key - Even without the threat of identity theft, consumers have a basic responsibility to monitor their accounts.

Cloud computing makes for a scary future - After the Sony fiasco, will users still be comfortable putting so much of their professional and personal information online?

Your antivirus isn't enough - Bolster your online arsenal with web-security software. These programs encrypt all communication from your computer, so that anything that's stolen will be useless to the thief.

Threats to your financial identity can exist anywhere - Playing a game of Portal 2 may be the last place you'd expect criminals to lurk, what with bank and government sites carrying much more sensitive information. But as it turns out, hackers don't discriminate.

Exposure must be minimised - The fewer the sites you give your information to, the better.

Important Links and Information for Australians concerned about the security of their financial identity

Related Posts

Mobile Payment Systems are popping up all over the place in the recent months, with serious entrants from Paypal, Google and Square. This article will give you an understanding as an Australian credit card user.

Discover the benefits of taking out Cyber Liability Insurance and what steps you can take to reduce the cost of your cover. Find out what Cyber Liability Insurance will cover you for in the event of a cyber attack.

Ask a Question

Do not enter personal information (eg. surname, phone number, bank
details) as your question will be made public

finder.com.au is a financial comparison and information service, not a bank or
product provider

We cannot provide you with personal advice or recommendations

Your answer might already be waiting – check previous questions
below to see if yours has already been asked

Your Question

Subscribe to our newsletter

Notify me of followup comments via e-mail.

Disclaimer: At finder.com.au we provide factual information and general advice. Before
you make any decision about a product read the Product Disclosure Statement and consider
your own circumstances to decide whether it is appropriate for you.
Rates and fees mentioned in comments are correct at the time of publication.
By submitting this question you agree to the finder.com.au privacy policy,
receive follow up emails related to finder.com.au and to create a user account where further
replies to your questions will be sent.

Disclaimer -
Hive Empire Pty Ltd (trading as finder.com.au, ABN: 18 118 785 121) provides factual information, general advice and services on financial products as a Corporate Authorised Representative (432664) of Advice Evolution Pty Ltd AFSL 342880. Please refer to our FSG - Financial Products. We also provide general advice on credit products under our own Credit Licence ACL 385509. Please refer to our Credit Guide for more information. We can also provide you with general advice and factual information on about a range of other products, services and providers. We are also a Corporate Authorised Representative of Countrywide Tolstrup Financial Services Group Pty Ltd. ABN 51 586 953 292 AFSL 244436 for the provision of general insurance products. Please refer to our FSG - General Insurance. We hope that the information and general advice we can provide will help you make a more informed decision. We are not owned by any Bank or Insurer and we are not a product issuer or a credit provider. Although we cover a wide range of products, providers and services we don't cover every product, provider or service available in the market so there may be other options available to you. We also don't recommend specific products, services or providers. If you decide to apply for a product or service through our website you will be dealing directly with the provider of that product or service and not with us.
We endeavour to ensure that the information on this site is current and accurate but you should confirm any information with the product or service provider and read the information they can provide. If you are unsure you should get independent advice before you apply for any product or commit to any plan. (c) 2016.

Important information about this website

finder.com.au is one of Australia's leading comparison websites. We compare from a wide set of major banks, insurers and product issuers.

finder.com.au has access to track details from the product issuers listed on our sites. Although we provide information on the products offered by a wide range of issuers, we don't cover every available product. You should consider whether the products featured on our site are appropriate for your needs and seek independent advice if you have any questions.

The identification of a group of products, as 'Top' or 'Best' is a reflection of user preferences based on current website data. On a regular basis, analytics drive the creation of a list of popular products. Where these products are grouped, they appear in no particular order.

Where our site links to particular products or displays 'Go to site' buttons, we may receive a commission, referral fee or payment.

We try to take an open and transparent approach and provide a broad based comparison service. However, you should be aware that while we are an independently owned service, our comparison service does not include all providers or all products available in the market.

Some product issuers may provide products or offer services through multiple brands, associated companies or different labelling arrangements. This can make it difficult for consumers to compare alternatives or identify the companies behind the products. However, we aim to provide information to enable consumers to understand these issues.

Providing or obtaining an estimated insurance quote through us does not guarantee you can get the insurance. Acceptance by insurance companies is based on things like occupation, health and lifestyle. By providing you with the ability to apply for a credit card or loan we are not guaranteeing that your application will be approved. Your application for credit products is subject to the Provider's terms and conditions as well as their application and lending criteria.

Please read our website terms of use for more information about our services and our approach to privacy.